I noted this too. It doesn't seem like a good idea therefore that spamassassin comes with a pre-built whitelist; it makes it too easy for abusers to know which addresses to fake.
Well, bear in mind however that the default whitelist entries are NOT merely a whitelist_from. They have a recieved check
Now, there was a bug which caused the whitelist_from_rcvd lines to not work correctly, but that's now fixed in 2.6x.
See http://bugzilla.spamassassin.org/show_bug.cgi?id=846
So, when the whitelist is working properly, the spammer must forge the from AND send from a server which has a reverse DNS containing paypal.com.
And that MUST be the reverse DNS of the server delivering mail to a trusted mailserver, it cannot be merely added to some forged received: line. Forging From addresses is easy, but fudging the reverse DNS lookup results that YOUR mailserver will find is considerably more difficult.
Provided you've got your trusted servers configured correctly, forging the default whitelist should be extraordinarily difficult in 2.6x. They'd have to either hack your server, take over the RDNS zone of the open relay they are abusing, or successfully engage in a DNS cache poisoning attack.
Sure DNS cache poisoning is a realistic thing to do, Bind 8 is extremely weak to poisoning and a good birthday attack can get about 20% chance of success against bind 9. However, that's assuming 5,000 spoofed and carefully chosen DNS replies. Djgbdns is a little more predictable than BIND in it's choice of transaction ID's, but it uses random source ports as well making practical attacks much more difficult. The number's I've seen would lead to about a 9% chance of success against djgbdns.
Still, 5000 spoofed DNS replies per domain that you're sending spam to is going to slow a spam run to a complete crawl, making the attack impractical.
So, they either need to hack the DNS server that hosts the RDNS for their open relay (practical in some cases, but not very practical in the case of abusing cable-modem/dsl "home user server" situations), or they need to hack your server (at which point, it's game over for SA anyway).
Hacking every server you're going to deliver spam to is pretty impractical, so targeting the server that hosts the DNS records in the first place is the best way, and that's a mixed bag at best.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
